Federal Risk and Authorization Management Program (FedRAMP) Automation
Based on the Open Security Controls Assessment Language (OSCAL)
December 16, 2019
The FedRAMP Program Management Office (PMO) has drafted FedRAMP-specific extensions and guidance to ensure our stakeholders can fully express a FedRAMP System Security Plan (SSP) using NIST's OSCAL SSP syntax.
We Want Your Feedback!
The FedRAMP PMO is releasing the following files for public review and comment:
- FedRAMP OSCAL Registry: This registry is the authoritative source for all FedRAMP extensions to the OSCAL syntax, FedRAMP-defined identifiers, and accepted values. The draft for public comment is available here.
- Guide to OSCAL-based FedRAMP System Security Plans: This document enables tool developers to generate OSCAL-based SSP files that are fully compliant with FedRAMP’s extensions, defined identifiers, and acceptable values. The draft for public comment is available here.
- OSCAL-based FedRAMP SSP Template: The template file is pre-populated with FedRAMP extensions and defined-identifiers where practical. It also includes some sample data, and is the basis for the guidance document above. The draft for public comment is available in both XML and JSON formats.
- FedRAMP Baselines: The FedRAMP baselines for High, Moderate, Low, and Tailored for Low Impact-Software as a Service (LI-SaaS) in OSCAL (XML and JSON formats) are available here.
FedRAMP's work is based on NIST's OSCAL 1.0.0-Milestone2 release, and requires an understanding of the core OSCAL syntax, as well as NIST-provided resources to function correctly.
The following NIST resources are available:
NIST's Main OSCAL Site: https://pages.nist.gov/OSCAL/
NIST's OSCAL GitHub Repository: https://github.com/usnistgov/OSCAL
OSCAL Workshop Training Slides: Provided at an October workshop hosted by the NIST OSCAL Team. The early portions of the deck provide an overview, with more technical details beginning on slide 52. https://pages.nist.gov/OSCAL/downloads/OSCAL-workshop-20191105.pdf
NIST’s 800-53 & 53A Revision 4: NIST is also providing SP 800-53 and 800-53A, Revision 4 content as well as the NIST High, Moderate, and Low baselines in OSCAL (XML, JSON, and YAML formats) here.